Solved: Re: SAML Support for Remote Access VPN - Page 4

PhoneBoy · ‎2021-04-28

This question has come up a lot on the community.
We now have a formally supported solution that allows integration with ADFS and other SAML-based authentication.
This requires Check Point gateways running (at minimum) the following releases:

R80.40 JHF 114 or above (not supported with Maestro)
R81 JHF 42 or above (not supported with Maestro)
R81.10 JHF 9 or above (not supported with Maestro)
R81.20 (supported with Maestro) and above

The following VPN clients are supported (minimum versions listed):

E84.70 on Windows
E85.30 on macOS
Capsule VPN clients (see sk181494), which requires the following gateway versions:
- R81.10 JHF 43 and above
- R81.20 JHF 113 and above

This solution is NOT currently supported with:

Capsule Workspace
Embedded Gaia/SMB Gasteways

If such support is needed, please open an RFE with your local Check Point office.

You can see the details in the R81.20 Remote Access VPN guide under SAML Support for Remote Access VPN and/or sk172909.

See also this video by @Peter_Elmer

(Last edited April 2024)

anstelios · ‎2022-10-25

@PhoneBoy

We need this integrated in R81.20.

I cannot imagine a customer would accept this solution without MFA prompting every time the user connects to the VPN!

PhoneBoy · ‎2022-10-25

In the current public EA, at least, it's not integrated.
Hopefully a formal SK can be created for this issue.

lrossi89 · ‎2023-02-22

Can you explain better ?

rohmatcsi · ‎2023-04-18

@Hi @nflnetwork29

Could you share the file from tac? I have same issue, need to change ForceAuthn to be true.

Thank you

PhoneBoy · ‎2023-04-19

Upon further investigation, the appropriate place to configure this is on the Azure AD side.
See: https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access...

rohmatcsi · ‎2023-04-20

Hi @PhoneBoy

already solved now by suggestion from TAC Support, with update authsource.php file with adding forceauthn ==> true inside. at this moment user always prompt username and password.

thank you

PhoneBoy · ‎2023-04-20

Just to document this for other people, the location of this file is: /opt/CPSamlPortal/phpincs/simplesamlphp/config/authsources.php
However, you will still need to get the updated file from TAC.

Erzhan · ‎2022-09-15

Hello!

I confgured all as it mentinoned in guide, but stopped on last step where i should deploy script. I'm worried about deployment of script due to we have 4 GW clusters in our configuration and SmartConsole mgmt server. Currently we have one GW that all users use VPN connection, but i am testing new features on another GW. I don't want donwtime for user that already use VPN with different authertification method. Will script affect all user authertification method or it just add values to database and won't affect current users?

I checked the script essentially it add some values in database, but i am not 100% sure. If you need any other infomation please let me know.

Gaurav_Pandya · ‎2022-10-11

Hi PhoneBoy,

We are planning to use SAML authentication for mobile access vpn. We are on R81.10 Take 66 and already using NPS server for authentication, switching from NPS to SAML. I am following sk172909, I have query regarding script. Do I need to run the script for this scenario because in the sk172909 it is not mentioned "mobile access" in product section.

PhoneBoy · ‎2022-10-11

If you're using the regular VPN client (not SNX), this script applies, whether or not mobile access is involved.

Gaurav_Pandya · ‎2022-10-12

Thanks. We are using SNX so first I will test without applying script

Carsten_R · ‎2022-10-14

I've done a setup in my lab with R81.10 and it's working very well.

But I have a question for the VPN Community "RemoteAccess".

It's not possible to add a Azure AD group or Identity Tag to the "Participant User Groups".

But what if that VPN Community already contains existing local or LDAP groups?

Is it ok to remove them all (result is "All Users") and just trust only on the Access Role definitons?!

PhoneBoy · ‎2022-10-14

Yes, that's the correct way to do it: use Access Roles in your access policy.

Carsten_R · ‎2022-10-23

Ok, thanks, but I now run into an issue beond this. The authorization seems not to work.

I'm using the Microsoft Graph API access / permission to retrieve the group / role assignments. But the user is only getting the group "All Users" and no Role.

I've tried it in Access Role with the AAD group for my Remote Users and also tried it with the Identity Tag.

I'm using R81.10 for Management and Gateway.

I followed this guide: https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_IdentityAwareness_AdminGuide...

biskit · ‎2022-10-24

How are you checking for Role? #pdp monitor user xxx ?

I wonder if your legacy user group in SmartConsole is configured properly - with the correct naming convention?

Does the guide in this link help you? Solved: Re: Access Role not working? - Check Point CheckMates

Carsten_R · ‎2022-10-24

Exactly, I check it with "pdp monitor user xxx"

I've also tested it with a legacy group (with and without the prefix) - no success.

Do I really need legacy group? I run with R81.10 and that should be able to use Microsoft Graph.

I saw the mentioned guide earlier, but that also didn't fixed it.

biskit · ‎2022-10-24

My understanding of the way it currently works (and how I have mine working) is that you need to use an empty legacy user group with EXT_ID_ and then the exact name (and CaSe) of the Azure group. Then you use that legacy group within an Access Role. It's a bit convoluted but it does work.

Does the authentication work properly when you log in? Or does it fail with an error?

Carsten_R · ‎2022-10-24

Authentication is working as expected.

I've now tried it again with a local group. Tried it with the prefix EXT_ID_ and then the group name and another try with the role name.

pdp monitor shows in both cases this:

[...]

Groups: All Users
Roles: -
Client Type: Remote Access

biskit · ‎2022-10-24

Hmm, that sounds most likely to be a problem with the SmartConsole configuration where your user isn't being matched to the correct group/Access Role. Did you check the Manifest bit in Azure, according to the guide? Is that correct?

Carsten_R · ‎2022-10-24

The manifest file contains three roles. Two were pre-configured, and the role "VPN_Users" is my manual added role.

I have disabled the pre-configured role "msiam" and "Users" - but that didn't fixed it.

"appRoles": [
{
"allowedMemberTypes": [
"User"
],
"description": "msiam_access",
"displayName": "msiam_access",
"id": "b9632174-c057-4f7e-951b-be3adc52bfe6",
"isEnabled": false,
"value": "msiam_access"
},
{
"allowedMemberTypes": [
"User"
],
"description": "User",
"displayName": "User",
"id": "18d14569-c3bd-439b-9a66-3a2aee01d14f",
"isEnabled": false,
"value": "User"
},
{
"allowedMemberTypes": [
"User"
],
"description": "VPN_Users",
"displayName": "VPN_Users",
"id": "cc5031b0-2ccd-4331-bb47-6ad6b053d098",
"isEnabled": true,
"value": "VPN_Users"
}
],

Could you please post here your group claim configuration. How do you exactly choose the attribut / Namespace, ...?

lrossi89 · ‎2023-02-22

Also in our case:

- following the guide (all steps without step 6 optional)

- + this sk179788

Authentication is working as expected.

The reception of the groups works properly, but only for a short time (about 1 days)

Afterwards it is necessary to force an install policy to force the reception of access roles again (because the user ends up in "all user", seems that the Gw after some time start to recover the groups from local Active Directory groups no longer preferring Azure)

Has anyone had a similar problem and resolved?

Our environment now: R81.10 Take 87

Gaurav_Pandya · ‎2023-02-22

Hi,

We have same behavior for endpoint client SAML authentication. Primarily we are using mobile access vpn with SAML authentication, It is working fine. We have enabled SAML with AAD for endpoint client as well and followed sk179788 for configuration. It worked fine but stopped after 1 day. Users are part of "All users" group and it is not enforcing proper group and hence it hits cleanup rule. Once we push policy, it starts working again.

We are on R81.10 take 66.

lrossi89 · ‎2023-02-22

Can you share some examples about it?

AK2 · ‎2022-12-06

Hi PhoneBoy,

SK172909 lists EndPoint Security Client (specific versions) as a requirement for this. Ok.

Is Authentication via Azure Active Directory IDP supported for the Check Point Capsule VPN client for Windows 10 available in the Microsoft App Store? Our customer has deployed Capsule VPN client and now wishes to add MFA via AAD (and, use Identity Awareness on remote access policies via AAD). I can get VPN client authentication and Identity Awareness via AAD working when I use the Endpoint Security VPN client, but have been trying (and failing) for some time now when I use the Capsule VPN Client.

Thanks in advance for any info on this

PhoneBoy · ‎2022-12-06

Azure AD authentication is not supported with the Caspule VPN clients (be it Windows, iOS, or Android).

AK2 · ‎2023-04-09

Thanks very much for confirming. We ended up using the Endpoint Security VPN client.

Carsten_R · ‎2023-04-10

I'm now able to do an Remote Access authentication with SAML to Azure AD and the authorization is now also possible through SAML.

That was for me the "trickiest" part, because the documentation from Checkpoint is specially for the authorization not really helpful.

I've added here a PDF file. It's based on the R81.20 Remote Access documentation with some additional information from me. I'm using R81.20, because I do not need any additional script installation.

I spent so much time in troubleshooting, because the documentation for the authorization is really bad. I was so dissapointed, that I have needed some time to "calm down".

Hint:

The downside of this implementation is, that you've to configure in your Access Role two "identical" groups, when you like to use Identity Awareness and Remote Access for the same users...

That means:

You can use for Identity Awareness (Browser Based Authentication) the native AAD groups (which are imported through the App Registration) and for Remote Access, you've to use internal user groups in the syntax "EXT_ID_" followed by the AAD role name.

AK2 · ‎2023-04-11

Hi Carsten,

Congratulations and thanks for the document.

I agree, sometimes configuring something like this is not easy and takes significant persistence.

Cheers,

Andrew

Pbeau · ‎2024-02-23

Thanks Carsten_R! Your document in conjunction with the R81.20 Check Point VPN Admin Guide helped me a lot.

CheckPointerXL · ‎2023-03-19

Is this script allow_VPN_RA_for_R8040_and_above_gateways_V2.sh still required in latest jhf?

Are you a member of CheckMates?

SAML Support for Remote Access VPN